Illlllllllllllllllllllllllllllllllllllllllllllllllllll 

US006081610A 

United States Patent [19] [H] Patent Number: 6,081,610 

Dwork et al. [45] Date of Patent: *Jun, 27, 2000 



[54] SYSTEM AND METHOD FOR VERIFYING 
SIGNATURES ON DOCUMENTS 

[75] Inventors: Cynthia Dwork, Palo Alto, Calif.; 

MonJ Naor, Tel Aviv, Israel; Florlan 
Pestoni, Buenos Aires, Argentina 

[73] Assignee: International Business Machines 
Corporation, Armonk, N.Y 

[ * ] Notice: This patent issued on a continued pros- 
ecution application filed under 37 CFR 
1.53(d), and is subject to the twenty year 
patent term provisions of 35 U.S.C. 
154(a)(2). 

[21] Appl. No.: 08/586,020 
[22] Filed: Dec. 29, 1995 

[51] Int. CI. 7 G06K 9/00 

[52] U.S. CI 382/119; 380/4; 380/23; 

380/30 

[58] Field of Search 282/119, 120, 

282/121, 122, 123, 137, 140; 280/3, 4, 
23, 30, 25, 21 

[56] References Cited 

U.S. PATENT DOCUMENTS 



4,385,285 5/1983 Horst ct al 382/119 

4,868,877 9/1989 Fischer 380/25 

4,993,068 2/1991 Piosenka et al 380/30 

5,202,930 4/1993 Livshitz et al 382/122 

5,339,361 8/1994 Schwalm ct al 382/119 

5,469,506 11/1995 Beison et al 380/25 

5,533,141 7/1996 Futatsugi et a] 382/119 

5,602,933 2/1997 Blackwcll ct al 382/119 



FOREIGN PATENT DOCUMENTS 

02146O9A2 3/1986 European Pat. Off H04L 9/00 

OTHER PUBLICATIONS 

C. Dwork, M. Naor, An Efficient Existentially Unforgeable 
Signature Scheme and its Applications, Advances in Cryp- 
tology-CRYPTO '94, 14th Annual International Cryptology 
Conference, Santa Barbara, California, pp. 234-246, Aug. 
1994 Proceedings. 

Primary Examiner— Joseph Mancuso 

Attorney, Agent, or Firm — Romualdas Strimaitis; James C. 

Pintner 

[57] ABSTRACT 

A system and method are provided for producing verified 
signatures on documents such as checks and affidavits. 
Initially, a customer who is to obtain a verified signature, at 
some point in time, registers with a signatory authority, and 
a secret key, having public and private components, is 
established uniquely for that customer. When a document 
requires a verified signature, the customer presents the 
document and proof of his/her identity, such as a prepro- 
grammed computer-interfacable card, to a signature system. 
Typically, such a system is to be available at an institution, 
such as an office, bank, or post office, where such services 
will routinely be used. The system accesses the archive of 
the private portion of the customer's key, and generates an 
encoded signature based, in part, on the content of the 
document. Accordingly, when a recipient of the document 
later wishes to verity the signature, the recipient uses the 
customer's public key to decode the signature. It is then 
straightforward to verify the signature against the content of 
the document. 

6 Claims, 3 Drawing Sheets 
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SYSTEM AND METHOD FOR VERIFYING As a practical matter, institutions handling signed hard- 

SIGNATURES ON DOCUMENTS copy documents have sometimes avoided the time and 

FIELD OF THE INVENTION manpower costs by simply refraining from routinely com- 
paring signatures. This failure to verify a signature raises the 

The invention generally relates to the field of communi- 5 posabflity that, for instance, a bank might honor a fraudu- 

cations. More specifically, the invention relates to the field lent ^ a n0D _ matc hing signature, with no one being 

of electronic processing of hard-copy forms. the wiser until the account holder notices the fraudulent 

BACKGROUND OF THE INVENTION debit from his or her account. 

In the face of the modern-day revolution in electronic Therefore, there is a need for a system and method for 

communications, hardcopy communication media, such as 10 verifying signatures which is effective to recognize false 

hardcopy mail and documents, are alive and well. In fact, signatures, while being efficient enough to avoid the time 

a substantial segment of the communication field relies, to and manpower costs required for human signature venfica- 

this day, on the use of hard-copy documents which bear a tl0n - 

human signature, typically that of the originator or sender of SUMMARY OF THE INVENTION 

the document. ........ . , . 

One example of such documents is the personal check, » B of * e mve . ntl0 ° to P 1 ™* a systejn 

written against a party's bank account, and signed by that signatures which is effective to 

party. Aether example is affidavits, the class of forms or KCO f^ S W*™<*, while being efficient enough to 

other documents which are required to be signed. ^ avoid the tmw and manpower costs required for human 

Sometimes, affidavits must even be signed under oath, for S1 ^ na ve ca on. 

instance signed while a notary public witnesses the signa- To achieve this and other objectives, there is provided in 

tare. A common category of affidavit-type forms is Internal accordance with the invention a signature verification 

Revenue Service tax forms method for use with a document which is to bear a signature 

Many types of hard-copy documents require some sort of „ b V a customer ™ e melhod <»*P^ following steps: 

processing. Typically, a sender generates the document to A database of keys is maintained, the keys being associ- 

pro vide a recipient with some sort of information which the ated with respective parties, including the customer, who are 

recipient requires. In the case of personal checks, for to make signatures that are to be verified using the signature 

instance, the sender, who makes out the check, wishes to verification method of the invention, each of the keys 

transfer funds from an account to the recipient. M including a securely archived provate key and a publically 

Processing by the recqrient generally involves extracting available public key. 

information from the document and taking suitable action When a customer needs a signature for a document, a 

based on the content of the extracted information. For digital signature is generated, employing the customer's 

instance the recipient of a check, a creditor of the sender, private key; the signature being based on the content of the 

extracts the dollar sum from the check and identifies the 35 document. The signature is associated with the document, 

sender, so that the recipient can credit the sender for the such as by printing the signature on the document, 

payment A recipient of the document decodes the signature, using 

Processing hard-copy documents can be a complex and the customer's public key, thereby verifying that the cus- 

labor-in tensive task, depending on the type of forms and the tomer signed the document because the customer's private 

sort of information the documents bear. Various mechanisms 40 ^ ev was use ^- 

for handling documents, and scanning them to extract infor- Finally, the recipient verifies the content of the document 

mation for them, have been developed Because of the sheer against the decoded signature, thereby verifying that the 

volume of checks and other such documents, such auto- signature was made for the document, 

mated handling and scanning is a virtual necessity. For While the invention is primarily disclosed as a method, it 

instance, banks use automatic handlers and scanners to 45 will be understood by a person of ordinary skill in the art that 

extract information from checks. To accommodate these an apparatus, such as a conventional data processor, incfud- 

systems, checks are printed with machine-readable inks m g a CPU, memory, I/O, program storage, a connecting bus, 

using standardized, machine-recognizeable character sets. and other appropriate components, could be programmed or 

However, one particular problem, which automatic sys- otherwise designed to facilitate the practice of the method of 

terns have not handled in a satisfactory manner, is that of 50 the invention. Such a processor would include appropriate 

verifying signatures. In the case of checks, for instance, a program means for executing the method of the invention, 

bank will typically have on file a sample signature of an Also, an article of manufacture, such as a pre-recorded 

account holder. Any check drawn against the account hold- disk or other similar computer program product, for use with 

er's account should bear the account holder's signature. a data processing system, could include a storage medium 

Ideally, for each check, the bank should verify the signature 55 and program means recorded thereon for directing the data 

on the check against the sample signature. processing system to facilitate the practice of the method of 

Validating a signature, however, is not an easy task, since the invention. It will be understood that such apparatus and 

an individual's handwriting inevitably has certain variations articles of manufacture also fall within the spirit and scope 

from one sample to another. A human clerk, visually com- of the invention. 

paring the signatures, might well be able to both (0 recog- 60 BPJEF DESCRIPTION OF THE DRAWINGS 
mze an authentic signature even though it does not identi- 
cally match a sample signature on record, and (ii) tell the FIG- 1 is a high-level flowchart showing the method of the 
difference between an authentic account holder's signature invention. 

and someone else's signature. An automatic system, on the FIG. 2 is a flowchart showing a more detailed implemen- 

other hand, would require sophisticated artificial intelligence 65 tation of a step of the flowchart of FIG. 1. 

and/or pattern-recognition technology to even make the FIG. 3 is a flowchart showing a more detailed implemen- 

attempt tation of a step of the flowchart of FIG. 1. 
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FIG. 4 is a block diagram of a system for practicing the component of the customer's secret key is used. Also, the 

method of the invention. signature is preferably generated using, as input information, 

data pertaining to the document itself, such as a scanned bit 

DESCRIPTION OF THE PREFERRED map of the document Therefore, the signature produced by 

EMBODIMENT 5 step 6 is unique to the customer by virtue of its use of the 

In accordance with the invention, a signature is generated customer's private key as well as being unique to the 

for a document, using a secret key. Tne secret key is document, by virtue of being based on the content of the 

preferably implemented as per the well-known public/ document. Accordingly, the signature is demonstrably 

private key system of RSA Data Security, which is well- authenUc ^ re & ard to ^ document and the cus- 

known in the field of cryptography. In such a system, a given 10 tolncr - 

customer is assigned a unique secret key, having a public A preferred implementation of step 6, given in FIG. 2, 
key and a private key component. includes producing a two-dimensional encoding of the con- 
It is a characteristic of the key components that, if either tent of the document, as well as the signature (step 20). The 
oneisusedtoencryptaplaintextmessage.theotheroecodes „ appropnate auttonty re^nds widi V^infe form of 
the encrypted message. Further, given the public key 15 l^.^^T^^^J^^^""^ 
component it is computationally infeasible to generate the ^ ' ° f ^ aumonty (step 22). ^^8*. °° further proof 
. v i . of the customer s identity needs to be shown. Thus, forms 
private key component , . ' 
r _ .... can be sent by mail. 

Therefore, a sender can encrypt a message intended only _ . , 4 , , . 4 tl _ . , 

, 4 , ' . . . - 7V - r™7> ... * It is understood, also, that a signatory authority, such as a 

for eyes of a recent, usmg a recipient s public key, and M or^ther suitableXial can also produce a 

send the encrypted message, knowing that only the recipient w £ 

has the prrvate key necessary to decrypt the message. On ube *» * monstrably authentic, 
other hand, a sender can encrypt a message using the 

sender's private key, so that any recipient who decrypts the In accordance with the invention, step 6 may be executed 

message using the sender's public key knows that the « m a fashion which filrther P rotects the secrcc y of me kev " 

message must have originated from the sender, because only Consider, for instance, an environment in which a customer 

the sender has the sender's private key. wanted to si e° a check » although eavesdroppers might learn 

_ . . , . . , , _ . the key, and then be able to use it so sign fraudulent checks. 

The method of the invention takes advantage 01 the „ J \ . c 4 , , . , . 

r , , , , ^ To protect the secrecy of the customer s key, step 6 is 

won^ of such a scheme byusmgthekttercha^erafcc, ^ executed miD a techni which makes avts . 

to establish with certainty ftat the signature is that of the 30 doping <ttEcult or impossible, 

sender, or of a sender s authorized agent w rxr ° ... 

* . . . , 1 . - . ^ - t , 4 ., _ , In a preferred implementation, a customer uses a data 

FIG. 1 is a hi eh level flowchart of the method of the - *■ * r . , ,. , , 

- J o * \ , ^ _ t _ , earner, preferably in card form, including an on-board 

invention. Separate steps, which form novel and ^ non- ^ ^ which Qe or ^ ^ ^ mflizes> 

obviousaspects of the invenUon take place at different * a fashion ^^5^ to an ATM card. Asuitable machine, 

times. The steps shown in FIG^l are grouped, based on 35 ^ & ^ ^ fa ^ ^ ^ ^ ^ H(J 

tunes at which the steps preferably take place. ^ of a card believed tQ ^ for ^ fa 

Initially, step 2 of the method includes establishing and accordance with the invention is a card produced by Hexa- 

maintaining a secret key, such as the public/private key gi 0 t Wareimandels GmbH, under the trade name "Smartcard 

referred to above, associated with a respective customer, ^y Hexaglot" 

who is to provide a document requiring a MgnaUie- 40 RG 3 ^ a more detailed implementation of step 6 of 

Preferably , a database : of such keys * established, each ^ Jng the atove^iescribed card Initially, an interface 

customer having a public key, avaflable to any interested ^ ^ bctwecn ^ card 42 carried by the cus- 

party, and a pnvate key, known onty to the customer The ^ ^ a ^ ^ a rQQCSSOT ^ for a 

private key is archived m a suitably secure way, and the ^ ^ ^ me established 

public key is made available to the public. hisAier identity (step 32), using a suitable procedure such as 

A preferred format for the public key is a two-dimensional m a ^0^^^ code to a user interface 46, 

code signed with a system key which is maintained by the Depending on the type of processing machine, and the 

system, and over which an authorized system administrator environment in which the customer is to use the machine, 

has control. 5q omer identification procedures, which would be better suited 

Also, a customer can request that his/her key be notarized. to protect customer confidentiality, may alternatively be 

This is preferably done as follows: the customer presents the used. 

two-dimensional code signed with the system key, and proof Note ^ me processor 44 may be a general purpose 

of the customer's identity, to an authority. The authority then computer, which executes the method of the invention by 

produces a two-dimensional encoding of the key presented, 55 running software program code, which may be commercial- 

signed with the private key of the authority. ized and made available using a pre-recorded product such 

It is expected that, in typical, preferred implementations as a floppy disk 47, which is purchased through a software 

of the invention, step 2 takes place as a customer registers vendor and installed in the processor, as shown by the arrow 

for services provided by the invention, possibly before the m pic. 4. Alternatively, if the program code is distributed 

customer has a document for which he/she requires a w over a communication medium such as the Internet, then the 

verified signature. floppy disk 47 is replaced by a computer-usable interface to 

When such a database is in place, a customer provides a the Internet, 

document for a signature (step 4). Step 3 of FIG. 1, which Then, the customer instructs the system to generate a 

collectively incorporates steps 4, 6, and 8, shows the activi- signature for the document (step 34). This may involve 

ties associated with generating the signature. $5 scanning the document (shown as 48 in FIG. 4) using a 

In step 6, a digital signature is generated for the document, scanner 50, so that the signature will reflect the content of 

using the customer's secret key. Preferably the private key the document, as discussed above. 
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A signature scheme preferably should be used which is 
existentially unforgeable. The term "existentially unforge- 
able" is defined, formally, as follows: Where S(m) denotes 
a signature on a message m, given any polynomial (in the 
security parameter) number of pairs of messages and sig- 
natures 

the signature scheme S is existentially unforgeable if, for 
any message tn M which is not an element of the set of 
messages m 1 through m^, it is computationally infeasible to 
generate a message/signature pair (m^, ^m*^)) 

A preferred signature method is that disclosed in Owork 
et al., "An Efficient Existentially Unforgeable Signature 
Scheme and its Applications", published in Desmect (Ed.), 
Advances in Cryptology — CRYPTO '94, 14th Annual Cryp- 
tology Conference, Santa Barbara, Calif. (Aug. 21-25, 
1994). 

Following step 6 of FIG. 1, in step 8, the signature so 
generated is associated with the document Preferably, for 
bard-copy documents, the signature is printed, using a 
printer 52. The printed signature may be printed directly 
onto, or otherwise affixed to, the document 48 itself. 

At this point, the preparation of the signature is complete. 
In instances where the signed document is to be forwarded 
to a recipient, the recipient performs additional steps, in 
accordance with the invention, at the later time at which the 
recipient receives and processes the document The further 
activities which take place at that time are shown in FIG. 1 
generally as step 9. 

Initially, the recipient decodes the signature using the 
public component of the sender's secret key (step 10). In 
typical foreseeable applications of the invention, such as the 
situation in which the document is a check, the recipient will 
have access to a database of public components of the secret 
keys of various customers. Thus, step 10 is implemented by 
accessing the sender's public key from the database. 

After the public key is obtained, the signature is decoded. 
Then, it is a straightforward matter to verify the signature 
and the content of the document (step 12). 

It is believed that the invention has applicability in a 40 
number of different fields. For instance, the invention could 
be integrated into a financial software package, such as 
Intuit" S Quicken® product The resultant software package 
would enable a user to print and sign a check at the press of 
a button. In addition to the ledger-maintenance and other 
features already offered by such a package, the addition of 
the invention would advantageously add the capability of 
printing a check, together with a robust two-dimensional 
array code representation of all relevant information (e.g., 
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What is claimed is: 

1. A signature verification method for use with a hardcopy 
document which is to bear a signature by a customer, the 
customer having a secure private key, the customer's private 
key corresponding with a publicly available public key, the 
method comprising the steps of: 

generating a digital signature, employing the customer's 
private key; the signature being based on the content of 
the hard-copy document, the step of generating 
employing an existentially unforgeable signature 
scheme 

associating the signature with the hard-copy document; 

decoding the signature based on the customer's public 
key, thereby verifying that the customer signed the 
hard-copy document because the customer's private 
key was used; and 

verifying the content of the hard-copy document against 
the decoded signature, thereby verifying that the sig- 
nature was made for the hard-copy document. 

2. A signature verification method as recited in claim 1, 
wherein the step of maintaining a database of keys includes 
the steps of: 

generating a key; and 
notarizing the key. 

3. A signature verification method as recited in claim 2, 
wherein: 

(i) the step of maintaining a database of keys includes the 
steps, executed for a customer, of: 

generating a key pair including a private key and a public 
key, 

storing the private key in a secure way, and 
outputting the public key as a two-dimensional code; and 

(ii) the step of notarizing includes the steps of: 
presenting the two-dimensional code and proof of the 

customer's identity to an authority, the authority having 
a private key, 

generating a two-dimensional encoding of the key 

presented, the encoding including a signature of the 

private key of the authority, and 
presenting the two-dimensional encoding of the key 

presented, signed with the private key of the authority, 

as a receipt to the customer. 

4. A signature verification method as recited in claim 2, 
wherein the step of (iii) outputting includes outputting the 
public key as a two-dimensional code signed using a pre- 
determined system key. 

5. A signature verification method as recited in claim 1, 



the content of the check, the date, etc.) and a digital 50 wherein me ^ of generating a signature includes 



signature. Similarly, other signed documents, such as tax 
returns, may be prepared 

Such a system could be used with a large-scale payroll 
system for a large corporation, a system for preparing stock 
divident checks, or, in general, for any situation in which the 55 
preparation of checks causes a significant consumption of 
time. Also, as an added function of a payroll system in 
accordance with the invention, an employee can request a 
machine-readable, digitally signed W2 form, or other form, 
and request that the form so generated be mailed to the 60 
employee's address of record. 

While the preferred embodiments of the present invention 
have been illustrated in detail, it should be apparent that 
modifications and adaptations to those embodiments may 
occur to one skilled in the art without departing from the 65 
scope of the present invention as set forth in the following 
claims. 



establishing the customer's identity. 

6. A signature verification method as recited in claim 5, 
wherein: 

the step of maintaining a database of keys includes issuing 
the customer an identity card programmed with infor- 
mation regarding the customer's identity; and 

the step of establishing the customer's identity includes: 

(i) establishing an interface between the identity card and 
a signature system having an identity card interface and 
a user interface, and 

(ii) the user interactively performing an identification 
procedure, using the user interface, wherein the user's 
identity is established based on the programming of the 
identity card. 



